13# Third-country transfers
Hi guys, and welcome back. This Tuesday’s topic is one that always seems to be in the spotlight. It’s that of third countries and the GPDR. The regulations famously have specialised rules on third-country data transfers, also known as international transfers. This post is divided into two parts. The first is about adequacy decisions and transfer tools, which are required to enable a legal international transfer. The second half is about transfer impact assessments, which are necessary if there is not an adequacy decision in place for the receiving country at the time of the transfer.
The rules are for transferring personal data outside the EEA or the UK to a third country or an international organisation. The personal data should be undergoing or is intended to be processed. All three of these criteria must be fulfilled for there to be an international transfer:
- A controller or a processor is subject to the GDPR for the given processing.
- This controller or processor (“exporter”) discloses by transmission or otherwise makes personal data, subject to this processing, available to another controller, joint controller or processor (“importer”).
- The importer is in a third country or is an international organisation. That is irrespective of whether this importer is subject to the GDPR in respect of the given processing under Article 3 (the regulations’ territorial scope of application).
By “third country” means all states outside the EU/EEA or the UK for the UK GDPR. An international organisation means an organisation and its subordinate bodies, that are governed by public international law, or any other body which is set up by or based on an agreement between two or more countries.
Any international transfer under these circumstances must rely upon one of the legal tools (transfer tool) listed in the regulations. As a first step, you should verify if the European Commission or the UK’s Secretary of State has decided that the receiving country (where the personal data will end up) ensures an adequate level of protection. It’s called an adequacy decision, and these are the countries that the European Commission recognised adequacy protection:
Andorra, Argentina, Canada (commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom under the GDPR and the LED, and Uruguay
The same adequacy decisions are in place for the UK, including their territory of Gibraltar. Please see the ICO’s guidance to see an exhaustive list for the UK.
Without an adequacy decision in place, it is necessary to have a transfer tool for the envisaged international transfer. The UK and EU GDPR provide slightly different tools that you can use. Here is the list of tools for the UK and EU GDPR:
- Binding corporate rules (BCRs).
- Standard data protection clauses (SCCs). For the UK, made by the Secretary of State; or specified in a document issued (and not withdrawn) by the Commissioner. For the EU if they’re adopted by the European Commission.
- Codes of conduct.
- Certification mechanisms.
- Ad hoc contractual clauses between the parties, if authorised by the Commissioner, or for the EU by the competent authority.
- International agreements or administrative arrangements. Authorised by the Commissioner for the UK, or by the competent authority for the EU.
- A legally binding and enforceable instrument between public authorities or bodies.
The most commonly used ones for transfers are SCCs, together with additional safeguards and measures that supplement the transfer to ensure compliance with the regulations. There are, however, derogations from the requirement to have a transfer tool in specific cases, but that is outside the scope of this blog post since it’s rather fringe.
Transfer impact assessments
Okay, now you know there are adequacy decisions and transfer tools. If there is no adequacy decision in place, and you want to use a transfer tool, you must apply the appropriate transfer tool. To know if it is appropriate, you will need to carry out a transfer impact assessment, or TIA for short. The aim is to evaluate the effectiveness of the transfer tool you rely on. That includes how it prevents access by public authorities of the third country, and how it ensures the level of protection of the personal data transferred to what is essentially equivalent to the EU/EEA or the UK.
For example, a comprehensive TIA could consist of the following steps:
- Mapping of the intended transfer. Being aware of where the personal data goes is necessary to ensure that it is afforded an essentially equivalent level of protection wherever it is processed.
- Verify that you rely on a correct and appropriate transfer tool.
- Assessment of whether and how the law or practices in the third country may impinge on the effectiveness of the transfer tools you are relying on, in the context of your specific transfer. I.e., if the party from the third country importing your data is prevented from complying with its obligations under the chosen transfer tool due to the third country’s legislation and practices applicable to the transfer. Which includes the transit of data between countries. The assessment should contain elements concerning access to data by public authorities of the third country, such as whether public authorities of the third country may:
- seek to access the data with or without the knowledge of the party importing your data, in light of legislation, practice and reported precedents;
- be able to access the data through the party importing your data or through the telecommunication providers or communication channels in light of legislation, legal powers, technical, financial, and human resources at their disposal and reported precedents.
If you conclude that the legislation or practices impinge on the effectiveness of the transfer tool you are relying on, you need to adopt necessary supplementary measures to bring the level of protection in line with the EU/EEA standards. The measures could be technical, contractual, or organisational. For example, encrypting the data transferred, obliging the importer to provide information on all access requests previously received from public authorities, or training the staff responsible for managing the access requests. If you are unable to identify effective supplementary measures, you have to suspend transfers of personal data to the third country.
There are a lot of guidance and recommendations on the topic of international transfers. Both from the European Data Protection Board, and the UK’s Information Commissioner’s Office. The guidelines and recommendations are used as sources, and they can be used by you as an additional deep dive by you.
If you’d like expert help with, for example, adopting the correct transfer tool, assessing supplementary measures, or the legal practices in the importing country, we have our Professional Services Team. Don’t hesitate to reach out to me at firstname.lastname@example.org or my colleagues in the team if you have any questions. You can also connect with your privacy peers over at the Q&A forum, Watercooler by DPOrganizer.
Next week, I will talk about the requirement to have a record of processing activities, or RoPA for short. See you then!